Cannot get Claims Mapping working with custom OIDC IDP (Auth0)

(0) Share

Report

Posted on by CU03041424-0

I have created a custom OIDC identity provider for my Power Pages site, which uses Auth0. Logging into the site via Auth0 is working successfully.

However, my issue is that I cannot get Claims Mapping (for Registration and Login) working - I have tried multiple different mappings of Contact table column to claim, and multiple different formats and have not managed to get a single claim to be captured in the Contact table.

Here are the relevant parts of the configuration of the identity provider & Contact table and some sample claims data:

IDP config:

Provider name = Auth0
Authority, Client ID, Client secret are all set (without these login would not work at all)
Metadata address = the Authority URL + /.well-known/openid-configuration (have checked that browsing this returns the usual JSON with endpoints etc)
Scope = openid profile email
Response type = code id_token
Response mode = form_post
Issuer filter = not set
Validate audience = off
Validate issuer = off
Use token lifetime = off
Contact mapping with email = on

Contact table:

Here are some of the columns I have tried mapping to, and their logical names (the logical name is what I understand has to be used in the claim mapping). Each column's type is Single Line Of Text.

Full Name = fullName
First Name = firstName
Last Name = lastname
Test = crc8d_test

Site setting to enable UserInfo endpoint

As per docs, I have created a record in the Site Setting table as follows to enable retrieving of claims from the UserInfo endpoint. This was done weeks ago and the site has been manually restarted also, so should have "taken".

(also tried using ../Auth0/... within the setting name, but as all the other settings that belong to my config above have .../OpenId_1/.... I guess that is the right name)

Sample claims JSON

In order to be sure about the claims keys for the mapping, I wrote a .NET OWIN app to perform a login against Auth0 using the same settings as above, and captured the following claims data from the authentication ticket the app got back.

You can see there are claims called "name" & "nickname". There is also a lot of other data in a JSON string in a claim called "userdetails" ... not sure if this is accessible however.

Mappings I have tried

None of the following resulted in data being captured in the in the First Name, Full Name & Test columns in the Contact table:

firstName=userinfo.nickname,fullName=userinfo.name,crc8d_test=userinfo.userID
firstName=nickname,fullName=name,crc8d_test=userID

A record does get created in the table with the expected Email the first time a user logs in.

Can anyone point out what I am doing wrong?

Also, if I can get the mapping working, could the serialised data inside my userdetails claim be mapped in a deserialised form, e.g. firstName=userinfo.userdetails.firstName ?

Many thanks

Categories:

Security

I have the same question (0)

All responses (2)

Answers (0)

Sort by

Suggested answer

11manish 1,315 on at

Like (0)

Report
Copy link

Link copied!
In Power Pages:

Claims mapping only works with claims that are directly available in the ID token or UserInfo response in a flat structure

Your problem is likely due to:

1. Incorrect claim prefix (userinfo.)

Power Pages does NOT require userinfo. prefix in mapping.

This will NOT work:

firstName=userinfo.nickname

Correct format:

firstname=nickname

2. Logical name mismatch (case-sensitive & exact)

Dataverse expects:

Field Logical Name

First Name firstname

Last Name lastname

Full Name not directly writable

You used:

firstName (wrong casing)

fullName (not valid logical field)

3. “Full Name” cannot be mapped

fullname is system-generated

You must map:

firstname

lastname

4. Claims not present in ID token

Even though your .NET app shows claims:

Power Pages only reads:

ID Token claims

OR UserInfo endpoint (if correctly configured)

If Auth0 is not sending them in ID token → mapping fails silently

5. UserInfo endpoint setting likely incorrect

Your setting name must match provider exactly.

Correct pattern:

Authentication/OpenIdConnect/Auth0/GetClaimsFromUserInfoEndpoint

Value:

true

Correct Working Mapping

Use this format:

firstname=nickname,lastname=name,crc8d_test=sub

Notes:

sub = safest unique identifier

Ensure claim exists in token

How to Verify (Very Important)

Use:

Browser DevTools → Network → login request

Decode ID token at jwt.ms

Confirm claims exist:

nickname

name

email

Why your attempts failed

Used userinfo. prefix

Used wrong logical names

Tried mapping system field (fullname)

Possibly claims not in ID token

About Nested JSON (userdetails)

This will NOT work:

firstname=userinfo.userdetails.firstName

Power Pages does NOT support:

Nested JSON parsing

Complex claim extraction

Workaround

In Auth0:

Use Rules / Actions

Flatten claims:

{
"firstName": "John",
"lastName": "Doe"
}

Best Practice Setup

In Auth0:

Add custom claims to ID token:

{
"firstname": "...",
"lastname": "..."
}

Then map:

firstname=firstname,lastname=lastname

Was this reply helpful? Yes No
CU03041424-0 2 on at

Like (0)

Report
Copy link

Link copied!

Thanks for the very thorough answer - I will test out your suggestions.

FYI, the reason I prefixed every claim in the mapping with "userinfo." is because this is what is specifies in the docs (https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider#additional-settings-in-power-pages):

Mapping syntax:

To use UserInfo claims in login or registration claim mappings, use this format:

fieldName = userinfo.claimName

If UseUserInfoEndpointforClaims isn't enabled, mappings that use the userinfo. prefix are ignored.

Thanks again

Was this reply helpful? Yes No